quasar | 14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a

Analysis

max time kernel
254s
max time network
349s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe
Size

601KB
MD5

ac916695fe810d70b17bf78c9474aa4e
SHA1

36d871bd8f2bbd050f5218ad994fbe04d1cfe759
SHA256

14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a
SHA512

21821fb26a4a3c820f0497d3ed56de66cba7915eb76845e1d1829cff20065ff5909a065e81c6ba44406710d315bd9f1988cb06076047fa5a562ff49a7590730f
SSDEEP

12288:wgxy4jZZ8vDc6h3iUhFbAsUMdzxP0V2t5fI44FPTZFyd:1xy4jZ+vDc05hFXxxEIfhe7yd

Score

10^/10

quasar venomrat hacked evasion persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

hacked

23.105.131.178:7812

Mutex

VNM_MUTEX_0Ae9WwC7TPO9smz3BJ

Attributes

encryption_key
jCEkwlvO5Scyan0S8vZo
install_name
Windows Security Health Service.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update
subdirectory
Microsoft

Signatures

Contains code to disable Windows Defender 7 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/668-60-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/668-61-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/668-62-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/668-63-0x0000000000486C6E-mapping.dmp	disable_win_def
behavioral1/memory/668-65-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/668-67-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1740-82-0x0000000000486C6E-mapping.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 7 IoCs

resource	yara_rule
behavioral1/memory/668-60-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/668-61-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/668-62-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/668-63-0x0000000000486C6E-mapping.dmp	family_quasar
behavioral1/memory/668-65-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/668-67-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1740-82-0x0000000000486C6E-mapping.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Executes dropped EXE 2 IoCs

pid	Process
2044	Windows Security Health Service.exe
1740	Windows Security Health Service.exe

Loads dropped DLL 2 IoCs

pid	Process
668	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe
2044	Windows Security Health Service.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe\""	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows Security Health Service.exe\""	Windows Security Health Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update Folder\\Windows Update.exe"	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 692 set thread context of 668	692	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe	28
PID 2044 set thread context of 1740	2044	Windows Security Health Service.exe	33

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
868	schtasks.exe
1636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1728	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	668	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe
Token: SeDebugPrivilege	1740	Windows Security Health Service.exe
Token: SeDebugPrivilege	1740	Windows Security Health Service.exe
Token: SeDebugPrivilege	1728	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1740	Windows Security Health Service.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 692 wrote to memory of 668	692	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe	28
PID 692 wrote to memory of 668	692	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe	28
PID 692 wrote to memory of 668	692	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe	28
PID 692 wrote to memory of 668	692	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe	28
PID 692 wrote to memory of 668	692	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe	28
PID 692 wrote to memory of 668	692	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe	28
PID 692 wrote to memory of 668	692	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe	28
PID 692 wrote to memory of 668	692	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe	28
PID 692 wrote to memory of 668	692	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe	28
PID 668 wrote to memory of 868	668	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe	30
PID 668 wrote to memory of 868	668	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe	30
PID 668 wrote to memory of 868	668	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe	30
PID 668 wrote to memory of 868	668	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe	30
PID 668 wrote to memory of 2044	668	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe	32
PID 668 wrote to memory of 2044	668	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe	32
PID 668 wrote to memory of 2044	668	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe	32
PID 668 wrote to memory of 2044	668	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe	32
PID 2044 wrote to memory of 1740	2044	Windows Security Health Service.exe	33
PID 2044 wrote to memory of 1740	2044	Windows Security Health Service.exe	33
PID 2044 wrote to memory of 1740	2044	Windows Security Health Service.exe	33
PID 2044 wrote to memory of 1740	2044	Windows Security Health Service.exe	33
PID 2044 wrote to memory of 1740	2044	Windows Security Health Service.exe	33
PID 2044 wrote to memory of 1740	2044	Windows Security Health Service.exe	33
PID 2044 wrote to memory of 1740	2044	Windows Security Health Service.exe	33
PID 2044 wrote to memory of 1740	2044	Windows Security Health Service.exe	33
PID 2044 wrote to memory of 1740	2044	Windows Security Health Service.exe	33
PID 668 wrote to memory of 1728	668	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe	34
PID 668 wrote to memory of 1728	668	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe	34
PID 668 wrote to memory of 1728	668	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe	34
PID 668 wrote to memory of 1728	668	14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe	34
PID 1740 wrote to memory of 1636	1740	Windows Security Health Service.exe	36
PID 1740 wrote to memory of 1636	1740	Windows Security Health Service.exe	36
PID 1740 wrote to memory of 1636	1740	Windows Security Health Service.exe	36
PID 1740 wrote to memory of 1636	1740	Windows Security Health Service.exe	36

C:\Users\Admin\AppData\Local\Temp\14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe
"C:\Users\Admin\AppData\Local\Temp\14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:692
- C:\Users\Admin\AppData\Local\Temp\14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe
  "C:\Users\Admin\AppData\Local\Temp\14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Loads dropped DLL
  - Windows security modification
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:868
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows Security Health Service.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows Security Health Service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows Security Health Service.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows Security Health Service.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1740
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows Security Health Service.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:1636
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows Security Health Service.exe

Filesize
601KB

MD5
ac916695fe810d70b17bf78c9474aa4e

SHA1
36d871bd8f2bbd050f5218ad994fbe04d1cfe759

SHA256
14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a

SHA512
21821fb26a4a3c820f0497d3ed56de66cba7915eb76845e1d1829cff20065ff5909a065e81c6ba44406710d315bd9f1988cb06076047fa5a562ff49a7590730f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows Security Health Service.exe

Filesize
601KB

MD5
ac916695fe810d70b17bf78c9474aa4e

SHA1
36d871bd8f2bbd050f5218ad994fbe04d1cfe759

SHA256
14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a

SHA512
21821fb26a4a3c820f0497d3ed56de66cba7915eb76845e1d1829cff20065ff5909a065e81c6ba44406710d315bd9f1988cb06076047fa5a562ff49a7590730f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows Security Health Service.exe

Filesize
601KB

MD5
ac916695fe810d70b17bf78c9474aa4e

SHA1
36d871bd8f2bbd050f5218ad994fbe04d1cfe759

SHA256
14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a

SHA512
21821fb26a4a3c820f0497d3ed56de66cba7915eb76845e1d1829cff20065ff5909a065e81c6ba44406710d315bd9f1988cb06076047fa5a562ff49a7590730f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows Security Health Service.exe

Filesize
601KB

MD5
ac916695fe810d70b17bf78c9474aa4e

SHA1
36d871bd8f2bbd050f5218ad994fbe04d1cfe759

SHA256
14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a

SHA512
21821fb26a4a3c820f0497d3ed56de66cba7915eb76845e1d1829cff20065ff5909a065e81c6ba44406710d315bd9f1988cb06076047fa5a562ff49a7590730f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows Security Health Service.exe

Filesize
601KB

MD5
ac916695fe810d70b17bf78c9474aa4e

SHA1
36d871bd8f2bbd050f5218ad994fbe04d1cfe759

SHA256
14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a

SHA512
21821fb26a4a3c820f0497d3ed56de66cba7915eb76845e1d1829cff20065ff5909a065e81c6ba44406710d315bd9f1988cb06076047fa5a562ff49a7590730f

Download Submit
memory/668-57-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/668-62-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/668-58-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/668-65-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/668-67-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/668-61-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/668-60-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/692-55-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download
memory/692-56-0x00000000003E0000-0x00000000003EA000-memory.dmp

Filesize
40KB

Download
memory/692-54-0x0000000001230000-0x00000000012CE000-memory.dmp

Filesize
632KB

Download
memory/1728-93-0x000000006EE60000-0x000000006F40B000-memory.dmp

Filesize
5.7MB

Download
memory/1728-92-0x000000006EE60000-0x000000006F40B000-memory.dmp

Filesize
5.7MB

Download
memory/2044-74-0x0000000000AF0000-0x0000000000B8E000-memory.dmp

Filesize
632KB

Download